Re: Periodic reviews of Windows file shares

[Mandi Witkovsky <witkovsm () PFW EDU>]

We’re on the tail end of a massive audit of our network shares, so I feel your pain.  For the last 5 years (for as long 
as we have had a dedicated security & identity team) we have ensured that for any new folder creations, we were 
granting access via a unique security group only at the root level folder.  Prior to that, access was granted pretty 
much willy-nilly at any level of the folder structure, sometimes using a group but sometimes based on OU or username.  
Basically whatever changes our users asked for were carried out, more or less unquestioned.  What a mess that was to 
keep track of.

Our cleanup process entailed getting a report of the current access controls for all folders (mapped as drive letter 
“O”) and then for anything that was outside of our current standard (one root folder, one group) we “fixed the glitch”. 
  In some cases, this meant creating a new root level folder with a new security group.  In other cases, we removed the 
extraneous permissions and ensured the membership of the group was appropriate.  It was a lot of work but it leaves us 
in a better place.

From this point forward, audits should be much easier.  All our groups are named a certain way (o-foldername) and the 
group’s description indicates owner, purpose, and department.  Running a report of access controls should show whether 
access is being granted only at the root level, and then it’s a matter of contacting owners to make sure the folder is 
still needed and the membership is correct.  And breaking the fingers of any sys admin that grants access on a 
subdirectory.  ☺

We’re a relatively small central IT shop, and we just don’t have the manpower to properly maintain complicated file 
permissions for every department on campus.  We made one exception for a department that has their own IT technician 
and a very complicated set of folder permissions which they wanted to maintain.  For this we laid down the ground rules 
and gave them the access to manage it on their own.

mandi


Mandi Witkovsky
Manager of Security and Identity
Information Technology Services
Purdue University Fort Wayne
witkovsm () pfw edu<mailto:witkovsm () pfw edu>




From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Jared Evans
Sent: Friday, January 4, 2019 10:23 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Periodic reviews of Windows file shares

What are some of your best practices or recommendations on how to effectively conduct periodic access control reviews 
of large Windows file shares, which can span many folders and groups?

While we keep track and document any access control changes to the shares over time, we would also like to conduct 
reviews of how the access to the shares are actually set.  A comprehensive report listing all the access control 
settings of file shares would be massive and I would like to see if there are any other approaches I can undertake for 
quick and effective reviews.

--
[https://docs.google.com/uc?export=download&id=0B06ctamGLs2hSzVkWTREblhkS0E&revid=0B06ctamGLs2hcERDbFA5bHFLY01XU0VLV2Z0Z3VGR1dQY25ZPQ]
Jared Evans
Information Security Officer
Gallaudet Technology Services
Gallaudet University
jared.evans () gallaudet edu<mailto:jared.evans () gallaudet edu>